The Hidden Vulnerabilities in Email Security
▼ Summary
– Email is the primary attack vector, with malware, scams, and phishing showing year-over-year increases of over 130%, 30%, and 20% respectively.
– 78% of organizations experienced an email breach in the past year, primarily driven by phishing, impersonation, and account takeover, which often lead to ransomware and data loss.
– The manufacturing sector is the most targeted industry for email-based attacks, followed by retail and healthcare, a trend consistent for multiple quarters.
– Attackers attempted to steal over $300 million via vendor email compromise (VEC), exploiting employee difficulty in distinguishing these attacks from legitimate vendor communications.
– 99% of email threats reaching inboxes in 2024 were social engineering or phishing attacks, highlighting the ineffectiveness of traditional defenses against these high-risk threats.
Despite its foundational role in business communication, email remains the most common entry point for cyberattacks, exposing critical vulnerabilities across all sectors. Recent data reveals a dramatic surge in malicious email activity, with malware-laden messages increasing by over 130% year-over-year. Simultaneously, scams have risen by more than 30% and phishing attempts by more than 20%. These attack vectors are responsible for the majority of operational disruptions organizations face, from compromised accounts to significant business downtime.
The scale of the problem is stark. Over the past year, 78% of organizations experienced an email breach. The primary culprits continue to be phishing, impersonation, and account takeover, which frequently serve as the initial steps toward ransomware deployment and data theft. Phishing and its more targeted cousin, spear phishing, are the most prevalent breach types, often intertwined with business email compromise and account hijacking. A single deceptive email can provide attackers with the credentials needed to impersonate employees, exfiltrate sensitive data, or distribute malware throughout a corporate network.
For six consecutive quarters, the manufacturing sector has been the prime target for cybercriminals. In the second quarter of 2025, manufacturers endured 26% of all reported email-based attacks, including business email compromise, phishing, and malicious spam. The retail industry follows as the second-most targeted, accounting for 20% of incidents, with healthcare close behind at 19%. This targeting pattern has remained consistent since the previous year.
Within healthcare, email presents a particularly acute risk. Outdated security systems and cumbersome tools often frustrate staff, leading them to circumvent protective measures. This creates dangerous gaps that leave sensitive patient information vulnerable to exposure.
The financial motivation for attackers is clear. In just one twelve-month period, cybercriminals attempted to steal more than $300 million through vendor email compromise schemes. Alarmingly, 7% of engagements in these attacks came from employees who had already interacted with a previous VEC attempt. Distinguishing a legitimate vendor message from a sophisticated forgery is increasingly difficult, especially in large enterprises. Employees at the biggest organizations, those with 50,000 staff or more, demonstrated the highest rate of repeated engagement with these fraudulent vendor communications.
Attackers are constantly refining their methods. A notable emerging trend is the rise of callback phishing scams, which accounted for 16% of phishing attempts in early 2025. This method was virtually nonexistent the year prior. Its growth coincides with a significant 42% drop in the use of malicious links, which previously dominated phishing campaigns. In a callback phishing attack, victims are socially engineered via email or text to call a fraudulent support number, where they are tricked into revealing credentials or downloading malware.
An analysis of threats that bypass initial filters reveals a critical shift. In 2024, a staggering 99% of malicious emails reaching user inboxes were either response-based social engineering attacks or contained phishing links. Only 1% delivered traditional malware payloads. This statistic underscores a major weakness in common email defenses: while they are effective at blocking malware, they often fail to intercept high-risk threats like business email compromise and credential phishing.
The threat landscape is now more sophisticated than ever. Users face impeccably crafted phishing campaigns generated by artificial intelligence, subtle business email compromise messages that perfectly mimic a colleague’s writing style, and highly convincing ploys from impersonated trusted vendors. Research indicates that approximately nine out of ten emails are classified as spam, unwanted, unsolicited, or malicious. Of these never-before-seen spam emails, 37% were commercial in nature, 32% were outright scams, and 21% fell into the phishing category.
(Source: HelpNet Security)
